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I I Abstract 

^ ; 

Oj, We show how QKD on a multi-user, multi-path, network can be used 

I . to establish a key between any two end users in an asynchronous fashion 

f-H ' using the technique of bit-transport. By a suitable adaptation of our pre- 

j^ , vious secret-sharing scheme we show that an attacker has to compromise 

^ ' all of the intermediate relays on the network in order to obtain the key. 

O^' Thus, two end users can establish a secret key provided they trust at least 

, one of the network relays. 

\Q \ 1 Introduction 

^^ , The elegant and startingly original theoretical idea of Quantum Key Distribu- 

■^ ■ tion (QKD) [1] has developed into a mature technology [2] with commercial 

ff^ \ systems readily available. Nevertheless, for a variety of reasons, it still remains 

^^ ■ something of a curiosity amongst security professionals. There is a sense in 

^N I which the technology, however beautiful, addresses a non-existent problem since 

. . ■ the threat models used by security professionals rarely put key distribution at 

^ \ the top of the list, with good reason. Existing key distribution mechanisms 

are considered to be more than adequate to address the perceived risk. Fur- 
«2j ! thermore, with suitable key-expansion algorithms, there is little in practice that 

C^ ■ QKD can achieve that a conventional classical system cannot. 

The security of QKD is based on different principles, however, and conven- 
tional security techniques largely rely on unproven (but reasonable) assumptions 
[3]. So, for example, the security proof for a block cipher used in a suitable mode 
for key expansion, rests on the assumption that the cipher is a pseudorandom 
permutation. Whether we choose a QKD system or a conventional classical 
system for our key distribution, we still have to rely to some extent on our 
confidence in the underlying principles on which the security is based. 

Another difficulty with QKD is the limitation imposed by the nature of the 
technology. The technique relies on the transmission of single quanta, or at least 
a reasonable approximation to them. Any network element which is too lossy. 
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or actively processes the signal in some way, will destroy the capability of the 
quantum channel to transmit keys. Thus, installing the technology on realistic 
networks poses something of a technical challenge. Whilst stable and tested 
solutions exist for point-to-point links, extending this to a network application is 
not straightforward and relies on the introduction of additional trusted network 
elements to enable the system to span reasonable distances and to route the 
signal between the required end points of the network. Good progress, however, 
has been made in developing the basic technique to work on more realistic 
communication networks [4,5]. 

The above comments notwithstanding it is likely that QKD will find appli- 
cation as part of an overall security solution for some situations and networks. 
Furthermore, the current threat model to key distribution will significantly alter 
as more progress is made towards the development of a working quantum com- 
puter that can process strings of qubits of sufficient size to pose a threat to ex- 
isting public-key mechanisms [6,7]. Whilst classical key distribution techniques 
based on symmetric cryptography can address the threat posed by quantum 
computation, it is by no means certain that these will be an obvious natural 
choice over a QKD solution should the need arise for a widespread overhaul of 
the existing key distribution techniques based on public-key cryptography. 

In this paper we look at how the bit-transport technique for QKD [8] can 
be used on a network in an asynchronous fashion to establish keys between any 
end-users of the network. The technique requires that the network relays act as 
intermediaries to correlate various QKD transmissions together. We show that 
with a suitable arrangement of relays an attacker has to compromise all of the 
relays on any particular channel in order to obtain the key. Thus, instead of 
having to trust all of the relays on a channel, the end users only have to trust at 
least one. We achieve this by a suitable adaptation of our 'drop-out' technique 
[9] for single QKD channels. 

2 A Single-Relay QKD Channel 

A relay on a QKD channel is used, primarily, to increase the distance. The 
conventional way of achieving this is for Alice and Bob to each establish separate 
quanturrl]] keys with the intermediate relay. In an obvious notation Alice {A) 
establishes a key with the relay {R) which we label QKar- Bob establishes a 
different key QK^b where we have used the order of the indices here to denote 
the 'direction' of key establishment which we take to be the direction in which 
the quanta are transmitted. The final key, K, between Alice and Bob can be 
established in a linkwise fashion. 

If one relay is not enough to span the distance between A and B with a 
quantum key transmission then, clearly, we can use any number of intermediate 
relays which each establish a separate quantum key QKa-Hk- Once all of the 



^We use the term 'quantum key' here merely to describe the process by which the key has 
been estabhshed, that is, by quantum key distribution. There is, of course, nothing quantum 
about the key itself! 



keys between the various network entities have been estabhshed, the final key 
between Ahee and Bob can again be estabhshed in a hnkwise fashion. 

In our previous work [8] we showed how we can use intercept/resend relays 
[10] to establish an end-to-end key over an extended distance with no loss of 
effective final key size. The primary concern with any relay system is that the 
relays have to be trusted intermediaries. In conventional, or intercept/resend, 
operation the compromise of a single relay compromises the entire channel. In 
[9] we showed how it was possible to modify the transmission protocol by adding 
a single relay (at least) so that an attacker needs to compromise all of the relays 
on a channel in order to obtain the key. This technique employs the notion of 
quantum secret sharing developed for multi-path networks in [11] in which we 
create distinct logical paths on a single channel by randomly dropping out the 
relays from the channel. 

2.1 Asynchronous Bit-Transport on the Channel 

Let us consider a channel over which Alice and Bob desire to establish a quantum 
key. Further, let us suppose that a single relay is required to span the distance 
so that the channel is of the form Alice — > Relay — > Bob. There are two ways 
in which the relay can be operated; in link-by-link mode, or in intercept/resend 
mode to establish an end-to-end key. We have shown how bit transport can be 
used to establish an end-to-end key with intercept/resend relays [8], we'll now 
consider how bit transport can be used to establish a key between Alice and Bob 
in an asynchronous fashion with the help of the relay. The relay establishes an 
independent QKD channel with Alice and Bob, respectively. On each channel 
the bits are sifted with public announcement of the coding basis and the 'bad' 
channels discarded. At the end of this process Alice and the relay, and Bob and 
the relay, possess a set of data that should, in an ideal world and in the absence 
of an eavesdropper, be in perfect respective agreement. The 4 sets of data can 
be checked for errors. If the error rate is not too high then the data sets can be 
saved and labelled. 

(k) 

After many such transmissions Alice and the relay have n sets of data S\j^ 

and S'^^ (1 < fc < JT-), where the bar denotes the relay's data set which could 

differ slightly from the corresponding set of Alice if there arc errors on the 

(k) ~(k) 

channel. The relay and Bob have similar sets of data, Sj^^ and Sj^g and we 

assume that they have m such sets. The elements of each set consist of a tuple 

(t, b) where t is the timeslot and b is the bit value. So for a given pair of sets, 

Sj^i^ and Sj^ji, we would have elements {t,b) for Alice and elements {t',b') for 
the relay. We would have t = t' but in the presence of errors we would have 
b = b' for most, but not all, of the timeslots. Let us suppose that Alice and the 
relay now conduct a secure error-correcting process so that at the end of this, 
and with a suitable re-labelling of the timeslot values, we have that t — t' and 
b ^ b' for all elements. Let us label the sets after error-correction by S. We 
further suppose that Bob and the relay perforin the same process on their sets 
so that they also have identical sets with elements (t, /3). 



Now if Alice and Bob wish to establish a key then the relay can choose 
one of the error-corrected sets ^\^J and one of the error-corrected sets Sj^jj 
essentially at random (or select from those which initially had a lower error 
rate, for example). The relay can then choose the timeslots, at random, from 
the sets such that b = (3 and simply announce the respective timeslots to both 
Alice and Bob. Alice and Bob will then share the same set of bits which can 
subsequently be used as a key. An eavesdropper has to have collected all of the 
data between Alice, Bob and the relay in order to have any chance of getting 
any information about the key, because she cannot know in advance which sets 
of data the relay will choose. Of course, once the timeslots have been announced 
then Alice and Bob need to perform a privacy amplification [2,7] on their data in 
order to eliminate the possible information the eavesdropper could have gleaned 
to a negligible leveo 

There are variations on this protocol. For example, the error-correction 
need not be done before the linking of the timeslots by the relay (although 
this will increase the effective error rate on the final data). The participants 
on the channel could, with a collection of error-corrected sets, decide to XOR 
these sets together to reduce the potential information of the eavesdropper. 
With the necessity to establish only a short key and with a potentially large 
number of sets to choose from this technique could reduce the eavesdropper's 
information to negligible levels in a similar fashion to the standard privacy 
amplification procedure. Alternatively, the privacy amplification could be done 
on the error-corrected sets E, individually, before the bit-transport by linkage 
of the timeslots. Furthermore, the linkage on this channel need not be initiated 
by the relay. Alice, for example, could begin the linkage by announcing the 
timeslots she wishes to use which then get correlated by the relay to suitable 
timeslots of Bob's. The linkage need not be restricted to the selection of a single 
respective set of the participants. Indeed, elements from different sets could 
be chosen at random provided that they have the same bit value. The main 
limitation of this asynchronous key-establishment, whichever protocol variation 
is adopted, is that the relay has to be entirely trusted by Alice and Bob. 

3 QKD Channels with Multiple Relays 

It is clear that this process can be extended to channels which require multiple 
relays. Let us consider a channel between Alice and Bob that requires 2 relays 
to span the distance. Thus we have a channel of the form : 

A — > Ri — > R2 — > B 

Independent QKD transmissions are run on the channels A — > Ri , Ri — > 
i?2 and i?2 — > B so that at the end of many such runs, and after sifting and 



^Although privacy amplification can be performed after tfie bit-transport (as we have 
discussed here) this is not optimal because the linkage of the timeslots gives the attacker a 
greater number of bits of the key that she knows with certainty. 



error-correction, Alice and i?i share n sets 'S]lji. ' ^^'^ ^^° relays share m sets 
y^ji fi , and i?2 and Bob share I sets S]j^. For convenience we shall assume 
that all of these sets are of the same size with cardinality N. The timeslot 
index is just an integer identifying a transmission instance, thus each of these 
sets consists of elements of the form {t, b) with 1 < i < iV and b G {0, 1}. Each 
set is therefore an ordered list of N bit values. An example for N = 10 is given 
below, in which Alice and the first relay have selecteqj the 4*'' set from their 
list of n sets, the relays have selected the 2"'* set from their list of m sets, and 
the second relay and Bob have selected the 7*'' set from their list of I sets. In 
practice N will be orders of magnitude greater than 10. 
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Let us suppose that Alice and Bob wish to establish a key of length 4 bits. 
We'll consider the case where the relays select the key to be used. i?i and i?2 

(2) 

communicate and agree on 4 elements chosen at random from their set S]^^ . 
For example, we suppose that they agree on the following list (6,1,9,3) giving 
the key 1101. Now Ri chooses, at random, the indices from the set Sj^jj that 
will give this key and communicates the list of chosen indices to Alice. So, for 
example, in order to communicate the key 1101 to Alice, Ri might transmit 
the list (3,2,8,9). It is important that once an index value has been selected 
it is eliminated from any subsequent choice. The relay R2 performs the same 
process with Bob and, for example, might transmit the index list (4,9,2,10). At 
the end of this process both Alice and Bob will share the key 1101. 

As we have noted above, the selection of the bit values need not be restricted 
to a single set. These values could be chosen randomly from all available sets. 
In this case each bit value index must be accompanied by another integer which 
indexes the set from which it is taken. Thus a list of tuples must be transmitted. 
So, for example, the first relay could send Alice the list [(12, 4), (2, 1), ...(34, 10)] 
which would indicate that the first bit of the key is the 4*'' element of their set 
Ej^jj, and so on. 

Of course, more sophisticated schemes for key establishment can be envis- 
aged, rather than just the straight linkage of the timeslots. For example, Alice 



•^We assume that such a selection has been made for the purposes of explanation of the 
asynchronous bit-transport technique. 



and the first relay could partition the data in their error-corrected sets into 10 
bit blocks (say), where the elements of each block are selected at random by 
publicly agreeing on a random sequence. In effect, a common random permu- 
tation is applied to the set. The bit values of the key can then be established 
by announcing a block and determining the parity. This procedure combines an 
element of privacy amplification into the key establishment. 

Again, the main limitation on this technique, from a security perspective, 
is that each network element knows the final key and so each network element 
(that is, the relays) needs to be trusted. If any one relay is compromised then 
the key between Alice and Bob can be determined by the attacker. We can 
adapt our previous secret sharing technique [9] to alleviate this problem so that 
an attacker has to compromise all of the relays on the channel. Let's look at 
an example of how this works. 

3.1 Securing a Multiple-Relay Channel 

Let us consider the following channel 

A — > Ri — > i?2 — ^ ^3 — !■ B 

Now let us suppose that a successful QKD transmission can be performed 
between network elements that are, at most, 2 steps away. The following quan- 
tum keys between Alice and Bob can therefore be established by utilizing the 
bit-transport technique outlined above; 

Quantum Key QKD Channel 

QKAB.1R2B.3B AR1R2R3B 

QKAR2R3B A-R2R3B 

QKab^r.b AR1R2 - B 

QKab^RsB ARi - R3B 

QKar.b A-R2-B 

We can see that there is at least one channel in which a given relay does not 
participate. So Alice and Bob establish these separate quantum keys and simply 
XOR them together to obtain their final key. None of the relays now possess 
this final key, and in order to obtain the key an attacker must compromise all of 
the relays in the channel. If only one is not compromised, and therefore trusted, 
the attacker cannot obtain the final key. For this particular example Alice and 
Bob could establish either of the following final quantum keyo 



■^Of course there are other final quantum keys that can be estabhshed. It is important, 
however, that any relay has not participated in the establishment of all of the keys used in the 
XOR. Thus, for example, if we tried to establish a key QKAR2R3B ® QKAR1R2B then relay 
2 knows the final key and the attacker would only have to compromise this relay in order to 
obtain the final key. 



QKab = QKAR1R2B.3B ffi QKAR2R3B ffi QKAR1R2B ffi QKariRsB ffi QKAR2B 

QK'ab = QKAR2R3B ffi QKAR1R2B ffi QKaRxR^B ffi QKAR2B 

The second key here would seem intuitively more preferable since relays 1 
and 3 only participate in 2 out of the 4 channels. It is obvious how to extend this 
to any general network configuration. Indeed, on multi-path networks we could 
employ a combination of this single- channel secret sharing and the multi-path 
secret sharing developed in [11]. Furthermore, on multi-path networks we could 
choose any path, at random, for each key bit we wish to establish using the 
bit-transport technique. The attacker would then be in the position of having 
to compromise all of the relays on the multi-path network, or collect all the 
data exchanged on all possible paths. 



4 Conclusions 

We have shown how, with a suitable adaptation of our previous bit-transport 
and secret-sharing techniques [8,9], an asynchronous quantum key can be estab- 
lished between any two users on a network in such a way that an attacker has 
to compromise all of the intermediate network elements to obtain the final key. 
Indeed, in order to obtain even a limited amount of information about the key 
the attacker must collect the data between all network elements, even on dif- 
ferent paths. Of course, the standard operating assumptions of a normal single 
link QKD channel must be observed. So, for example, the public communica- 
tions between the various elements must be authenticated and any side-channel 
information must be protected. 
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